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1 Introduction 


Dynamic logic [5, 6, 15, 16] applies concepts from modal logic to a relational semantics of 
programs to yield various systems for reasoning about the before-after behavior of programs. 
Analogous to the modal logic assertions Op (possibly p) and Op (necessarily p) are the dynamic 
logic constructs <a>p and [alp. If @ is a program and p is an assertion about the state of a 
computation, then <a>p asserts that after executing a, p can be the case, and [alp asserts that after 


executing a, p must be the case. 


A dynamic logic includes both a programming language for representing programs and an 
assertion language for expressing properties of computation states; different dynamic logics result 
from the selection of different programming and assertion languages. The underlying assertion 
language of propositional dynamic logic or PDL [5, 6, 16] is the propositional calculus; its 
programming language consists of regular expressions over uninterpreted program labels and tests, 
ie., the programming primitives are black box programs, and more complicated programs are built 
up using the nondeterministic control structures of sequencing, testing, choosing, and iterating. 


Although PDL can express many interesting properties of programs, Pratt has shown that 
it is not powerful enough to capture the notion of infinite looping in regular programs [16]. 
However, by adding a natural formula construct delfa to PDL, we obtain a programming logic 
strong enough to express a useful propositional notion of infinite looping. The resulting logic is 
also strong enough to express all formulae of two other propositional logics of programs: 
Mirkowska’s Propositional Algorithmic Logic (PAL) [12] and Ben-Ari’s, Manna’s, and Pnueli’s 
Unified Logic of Branching Time (UB) {\]. 


A striking feature of PDL is that it satisfies the following finite model property: an 
arbitrary (perhaps infinite) model of a PDL formula p can be reduced to a small finite model of p 
by merging those states which satisfy exactly the same subformulae of p. ‘This property plays a 
key role in the known decision procedures for PDI. [5, 17]. ‘This technique does not extend to 
delta-PDL, since there is a formula which is satisfiable in an infinite model which cannot be 
reduced to a finite model by merging states. This de/ta- PDI. formula is therefore not equivalent to 
any PDL formula, and so de/ta-PDL is strictly more expressive than PDL. Nevertheless, we shall 
see that delta-PDL is decidable and docs satisfy a finite model property. 


Pratt’s original formulation of dynamic logic included the programming construct converse 
[15]. Given a program a, the converse of a is the program which runs a backwards, i.c., which 
undoes all the computations performed by a Converse-PDI, the extension of PDJ. to include the 
converse construct, satisfies the same finite model property as PDL and the known decision 
procedures for PDL exiend without difficulty to converse-PDL [5S, 17]. 
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The two constructs delta and converse interact to make delta-converse-PDL significantly 
different from either delta-PDL or converse-PDL. Delta-converse-PDL does not satisfy the finite 
model property: there is a formula satisfiable in an infinite model but not in any finite model. 
This proves that delta-converse-PDL is strictly more expressive than either delta-PDL or converse- 
PDL. The failure of a logic to satisfy the finite model property is often taken as an indication of 
its undecidability, but in this case the evidence is misleading; delta-converse-PDL is in fact 
elementarily decidable, viz., decidable in time bounded by an cightfold composition of exponential 
functions. 


There is a straightforward proof of the decidability of delta-PDL by embedding it into 
SaS, the second order theory of several successors [21]. (This method was used by Parikh to prove 
the decidability of a logic which he called Second Order Acyclic Process Logic (SOAPL) [14].) The 
upper bound on the complexity of delta-PDL obtained in this way is not elementary, since SnS 
cannot be decided in elementary time [10]. In any case, there does not appear to be a 
straightforward embedding of delta-converse-PDL into SnS. 


Models of delta-PDL and SOAPL formulae can be viewed as labelled graphs. These 
graphs can be unravelled or unwound into tree-structured models in which programs conform to 
the tree structure, ie., programs connect nodes only to their descendants in the tree. The 
translation of these logics into SS depends crucially on this fact. The decidability of SnS can be 
established via a reduction to the emptiness problem of automata on infinite trees [18]. A 
quadruply exponential time decision procedure for delta-PDL can be obtained by directly reducing 
delta-PDL satisfiability to this emptiness problem, bypassing the translation into SnS' [22]. The 
reduction involves the construction, for each formula p, of an automaton which accepts, in some 
sense. models of p. It follows by automata theoretic arguments that every satisfiable formula has a 
finitely generable model, i.e., a model obtained by unravelling a finite graph. It is not difficult to 
show that this finite graph is itself a model, so that delta-PDL does satisfy the finite model 
property. The quadruply exponential upper bound on the computational complexity of de/ta-PDL 
can be improved by an exponential factor by showing that the automata used to decide delta-PDL 
satishiability belong to a special class whose emptiness problem is exponentially casier than the 


gencral case, 


Models of delta-converse-PDL formulae are also labelled graphs and these graphs can also 
be unwound into tree-structured models. However, unlike the tree models for the previous logics, 
programs in delta-converse-PDL tree models do not conform to the underlying tree structure; 
programs can link arbitrary nodes of the tree. ‘The presence of such programs prevents a 
straightforward reduction of de/ta-converse-PDL to the emptiness problem for automata on infinite 
trees. However, the semantics of the converse construct suggests a definition of deterministic two- 
way automata on infinite trees such that the satisfiability problem for delta-converse-PDE is 
reducible to the emptiness problem for these newly defined automata. The decidability of delta- 


converse-PDL follows from a reduction of the two-way emptiness problem to the ordinary or one-. 
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In addition, Parikh showed that adding additional axioms 


(9) p > [aka >p 
(10) p — [a Karp 


to the above complete axiomatisation for PDL yields a complete axiomatisation for converse-PDL 
{13]. A natural question to ask is whether there is are one or more axioms concerning the A 
construct which, when added to the above complete axiomatisations for PDL and converse-PDL, 
yield complete axiomatisations for delta-PDL and delta-converse-PDL. 


Conjecture. The following two axioms 


Ql) Aa @ <@Aa 
(12) [a*(p - <@p) —> (p > Aa) 


are sufficient to produce complete axiomatisations for delta-PDL and delta-converse-PDL. 


The complexity theory results in this thesis have depended very heavily on results 
concerning finite automata on infinite trees. Below are two interesting open problems concerning 


two-way automata. 
Open Problem. Can nondeterministic two-way automata be simulated by one-way automata? 


Open Problem: How many states are required to simulate a two-way automaton with a one-way 


automaton? In particular, is there, for infinitely many n, a two-way automaton with n states which 
n 


; : n on 2: 
cannot be simulated by a one-way automaton with less than 2” (or 22 or 2? or 2 ) states? 


way emptiness problem. 


Although de/ta-converse-PDL does not satisfy the finite model property, the models of a 
delta-converse-PDL formula are recognizable by a finite automaton. As before, it follows that 
every satisfiable formula has a finitely generable model, i.e.. a model obtained by unravelling a 
finite graph. Although in general this finite graph is not a model of the original formula, it is a 
representation of a model, so that delta-converse-PDL satisfies a finite representation property. 
This clarifies why the logic is decidable. 


Most of the results in this thesis which concern de/ta-PDL originally appeared, in different 
form, in the author’s Master’s thesis [22]. A preliminary version of the results in this thesis 
concerning delta-converse- PDL appeared in the Proceedings of the Thirteenth ACM Symposium on 
the Theory of Computing [23]. 
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6 Conclusions and Open Problems 


The main results of this thesis are elementary recursive decision procedures (i.e., algorithms 
which run in time O(exp” n) for some m, where n is the length of the input) for delta-PDL and 
delta-converse-PDL. The existence of these algorithms cstablishes upper bounds on the 
computational time complexity of the satisfiability problem for these logics. Unfortunately, the 
best lower bound for these logics is the following one proved by Fischer and Ladner for PDL. 


Theorem 6.1 [6]: There is a constant c > 1 such that PDL (and hence its extensions) cannot be 
decided in time c”, where n is the length of the formula tested. 


The large gaps between the best known upper and lower bounds, doubly exponential in the 
case of delta-PDL and septuply exponential in the case of delta-converse-PDL, leave room for 
further work in the complexity theory of these logics. 


Open Problem: What are the exact computational complexities of delta-PDL and delta-converse- 
PDL? In particular, does either or both require doubly exponential time to decide? 


Since PDL is decidable, it has an uninteresting complete recursive axiomatisation: the set of 
all valid formulae. However, one would still like to find a simple and natural complete 
axiomatisation. In the case of PDL, a completeness proof for the following set of axioms was first 
announced by Segerberg [20]; the first complete proof to appear is due to Parikh [13]. 


Axioms: 


(1) All the tautologies of the propositional calculus 
(2) [ap > 9) > ([alp > [alq) 

(3) [a,blp <> [alld]p 

(4) [aUb]p <— [alp & [bp 

(5S) [a*lp > p & [alp 

(6) [a*]p > [a*][a*]p 

(7) [a*(p —> [alp) > (p > [a*]p) 

(8) [Pla - @ > g 


Rules of Inference: 


(Modus ponens) if p and p — q are theorems, then qg is a theorem. 
(Generalization) If p is a theorem, then so is [a]p. 


2 Syntax, Semantics, and Expressive Power 


In this chapter we formally define the syntax and semantics of delta-converse-PDL (which 
contains PDL, delta-PDL, and converse-PDL as sublogics). We then show how a large number of 
logical constructs used in proving program correctness can be expressed in delta-converse-PDL. 
We next prove some relationships between delta-converse-PDL, its various sublogics, and .two other 
propositional logics of programs, the Propositional Algorithmic Logic (PAL) of Mirkowska [12] and 
the Unified Temporal Logic of Branching Time (UB) of Ben-Ari, Manna, and Pnueli [1]. 


We are given a set Il) whose elements are called atomic programs and a sct By whose 
elements are called atomic formulae. Capital letters A, B, C, ... from the beginning of the 
alphabet will be used as variables over IT, and capital letters P, Q, R, ... from the middle of the 
alphabet will be used as variables over ®p, 


The set of programs, II, and the set of formulac, ®, of delta-converse-PDL are then 
defined inductively (note the use of letters a4 b, c... aS variables over I] and p, g 7... as 
variables over ©): 


Mm: d) Mm ¢ 
(2) If a b € TT then ab, aUb, a, a ET 
(3) If p € ® then p? € 

o: (1) Co 
(2) If p € ® then mp € © 
(3) If a € TI and p € @ then <@p, Aa € © 


The sublogics of delta-converse-PDL are defined as follows. The formulae and programs of 
converse-PDL are those not containing any occurrence of Aa. The formulae and programs of 


delta-PDL are those not containing any occurrence of a. The formulae and programs of PDL 


are those containing neither Aa nor a. 


Definition: A structure is a triple) S = <U, Fg, <>? where 
(1) U is a non-empty set, the universe of states. 
(2) Fg is a satisfiability relation on the atomic propositions, i.e. a predicate on U x Hp. 
(3) <>, assigns binary relations on states to the atomic programs. 


Definition: A structure S = <U, Fs. <> is a tree structure if and only if U is a tree and for all 
states u and v and atomic programs A, u<A? ov only if w and v are neighbors in the tree, i.¢., either 
vis a successor of u or vice versa. ‘The tree structure S is one-way if and only if for all states uw 


Note: The above proof does not extend to 


convene can repesey ft infin pte in the — 


_s 


s 


and v and atomic programs 4, u<A> ov only if v is a successor of u. 


Definition: Given a structure S, F, and <>. can be extended to arbitrary formulae and programs 
as follows: 


(GQ) u Fy “p iff not u Fy p. 

(2) u Fy <ap iff av. usar v & v Fo p. 

3) uF, Aa iff dup, uw, .. . such that uy = wu and 
Vn 2 0. usa? ouiiy. 

(4) usa;,b> ov iff dw. u<a>ow and wXx<d> ov. 

(5) usaUb? ov iff uXa>ov or udb> oy. 

(6) u<a*> ov iff uxa> *y. 

(7) ua Pov iff v<a> cu. 

(8) u<p?> ov iff uw = v and u Fg p. 


If a and b are programs, then a;b is the program which executes first a, then b. The programming 
connectives U and * are nondcterministic; if @ and 5 are programs, then aUb is a program which 
permits a choice of either a or b, and a* is a program which permits a choice of some number 
(possibly zero) of iterations of a. If p is a formula, then the program p? can be thought of as an 
abbreviation for if p then skip else abort, 1.¢., it permits execution to proceed if p is true and 
interrupts execution if p is false. If a is a program, then a_ is the converse of a, i.e., it undoes the 
computations performed by a (however, since @ can take several input states to the same ouput 
state, doing a followed by a can take a state to some other state besides itself). If a is a 
program, then Aa is a formula which is true whenever there is a way to repeatedly execute the 


program a without stopping. 


The primitive constructs of delta-converse-PDL can be used to define many other interesting 


constructs as abbreviations. For example: 


A correctness assertion: [alp = gp “KO p 
Boolean operators: P& q = 4<pPg 
p> q = [Pla 


PV d= P49 
PO G=a(p7gQ&q- p) 


Propositional constants: true = gp PV “IP 
false = yp P& TP 


a2 


Rabin [8, 19] has shown that every nonempty automaton recognizable set of infinite trees 
contains a finitely generable tree, i.e., an infinite tree which can be obtained by unwinding a finite 
graph. Although delta-converse-PDL does not satisfy the finite model property, Rabin’s result 
shows that every satisfiable delta-converse-PDL formula has a finite representation. In the case of 
delta-PDL formulae, however, it is possible to transform the generating graph for an image for the 
formula into a finite model. 


Theorem 5.11: For all delta-PDL formulae p, if p is satisfiable, then p has a finite model. 


Proof: If p is satisfiable, then by the preceding-results, there is a scheme S = <Ty,, 1, - > <> 2 
for p whose image f is finitely generable. Hence there is a finite subtree T of 7,,,, and a 
generating map J: front(T) > inXT) such that f= f° J*. Define a finite structure R = <T, Fp, 
<> p> as follows. For x € 7 and P an atomic program, let x Fp P iff x, P. For x and y €T 
and A an atomic program, let x<A>py iff either x € in(7) and x<A> oy or x € fron{7) and 
J(x)< A> cy. We will prove, by structural induction on formulae, that for all y € Ty,, and ga 
subformula of p, y Fy q if and only if MO) Fp @ 


If g is an atomic subformula P, then y Fg P iff J*(y) Fg P, since the image of S is generated by 
T and J. By the definition of R, J*()) Fy P iff *O) Fp P. If q is a negated subformula, then y 
Fo q iff M() » @ follows from the inductive hypothesis and the definition of negation. 


If g is a diamond subformula <a>, then suppose y F, <a>r. Then by Lemma 5.2 there must be 
an execution sequence b; * * * b, € L(a;r?) and a sequence {y,}nc,<, Of elements of Ty.) 
such that yy = y and forO < n< k y,<b,, 1? 5¥,41 We leave it to the reader to verify that for 0 


Sonik PUK, 47> R"0,) so that Py = yo) Fp <arr. 


Conversely, suppose x = J*(y) and x Fp <a@r, Then there must be an execution sequence 
b «+ * by € Lar) and a sequence {x,}nc p<, of elements of T such that x» = x and for 
OS 26K x 8b yl nae 
follows. Let yy = y and having defined y,, define y,,, in accord with the relationship between 
x, and x,,1. If b,,, is a test, then x,,) = x so let y,,, = y, Otherwise, 5, | is an atomic 
program (since p is converse-free), and x, ,, is a successor, the mth say, of x, if x, € int(T), or of 
Ax,) if x, € fronT). In this case let y, ,, be the mth successor of y. It is now straightforward to 
prove that J*(y,) = x; for0 n< & and that y,<b,. > oy,,, forO < n< k. Hence, y Fy <a>r. 


Inductively define a sequence {) Joe ,<, of elements of Ty 44 as 


If q is a delta subformula Aa then y F, Aa if and only if #(y) Fp Aa follows by an 
argument almost identical to the previous one for diamond subformulae. We conclude that A Fp 
p, since A Fy p and p is a subformula of p. Therefore the structure R is a finite model of p. 
i 


Program constants: Skip = gr true? 
abort = 4- false? 
Deterministic control structures: 
if p then a else b = 4-(p?.a) U (7p?) 
while p do a = 4-(p?;a)*; 7p? 
Dijkstra’s guarded commands [3]: 
IF p> allg— bFI = 4-(p?;a) U (q?;5) 
DO p> allg— bOD = 4, ((p?;a) U (g?38))*3( 7p & 4)? 
de Bakker’s weakest preconditions {2]: 
a> p =qclalp 
de Bakker’s strongest postconditions [2]: 
a* P =a <a >p 
Hoare’s partial correctness aceeant [7]: 
. phatq =q-p > lala 
A well-foundedness or convergence assertion: 


Va = gp Aa 


An infinite looping assertion [6, 11, 16], defined inductively: 


COA = 4, false 

00(a;b) = 4p Oa V <a>00b 
00(aUb) = 4, Pa V COb 
00(a*) = 4-<a*>00a V Aa 
00(p?) = 4, false 


(Alternatively, onc can amend the syntax by adding the 00 4’s to I), allowing structures to 
decide arbitrarily which primitive programs loop and which do not.) 


Dijkstra’s weakest precondition operator [4]: 


wA@, P) = gp lalp & <a>irue & 0% a 


Definition: If p € ® and S is a structure, then S' is a model of p or S satisfies p if and only if u 
F. p for some u € U, and p is satisfiable if and only if some structure satisfies p. The 
satisfiability problem for delta-converse-PDL is the problem of deciding whether or not an arbitrary 


delta-converse-PDI. formula is satisfiable. 


af 


converse-PDL satisfiability can be decided in time Olexp® k), where k is the length of the formula 
tested. I 


Theorem 5.9: Given a delta-PDL formula p of length k, there is a deterministic complemented 
pairs automaton A, with no more than O(exp exp k) states and O(exp 4) pairs, which accepts 
exactly the images of one-way schemes for p. Furthermore, A, can be constructed in time 
O(exp exp k). 


Proof. The proof is very similar to that of Theorem 5.7. By Corollary 5.6, it is sufficient to 
construct an automaton accepting exactly the N+1-ary 2, trees satisfying the conditions (1)-(7) 
and an extra condition: (8) fx) contains no negative literals, for all x. It is straightforward to 
construct a complemented pairs automaton B with three states (a start state, an accepting state, and 
a failure state) and one pair which accepts exactly the trees satisfying conditions (1), (2), (5), (6), 
and (8). On the assumption that condition (8) is fulfilled, only forward paths need be considered 
to check conditions (4) and (7). It is not difficult to construct complemented pairs automata C,, 
and D, which check conditions (3) and (4) respectively and which have exactly one pair and no 
more than O(exp 4) states. 


Given a deterministic m state automaton recognizing a regular set Y (not containing the empty 
string) over an alphabet Z, a construction of McNaughton’s [9] yields a deterministic pairs 
automaton on infinite strings, with O(exp m) states and O(m) pairs which accepts exactly the 
infinite strings in ry . Since McNaughton’s machine is a deterministic pairs automaton on 
infinite strings, it can be viewed as ‘a complemented pairs automaton accepting exactly the infinite 
strings not in rey, 


For Aa € cU(p), let E 2 be the complemented pairs automaton resulting from applying the above 
construction to a deterministic automaton. accepting {yb, °° ° bn, € Cla) | k > 1 and 
Aa ¢ No}- Let F, be an automaton on infinite trees which, runs the automaton E), down every 
path from the root in order to reject any tree containing a node x such that Aa € Ax) and an 
infinite path from x which a repeatedly fits. Each F, can be constructed to have no more than 
O(exp exp k) states and O(exp k) pairs. 


Finally, the automaton B and the CS Ds, and FUS can be combined in a cross-product 
construction to yield the desired A.. A, has no more than O(exp exp &) states and O(exp k) pairs 
and can be constructed in time O(exp exp 4). i 


Theorem 5.10: The satisfiability problem for delta-PDL is decidable in time O(exp? k), where k is 
the length of the formula tested. , 


Proof: Given a formula p of length k, Theorem 5.7 constructs a complemented pairs automaton A, 
on infinite N+ l-ary trees with no more than O(exp exp k) states and O(exp 4) pairs such that A, 
accepts some tree if and only if p is satisfiable. By Theorem 3.8, the emptiness problem for A, can 
be decided in time Olexp) &). I 


Definition: If p € ® and S is a structure, then p is valid in S if and only ifu F, p for all u € U, 
and p is valid if and only if p is valid in all structures. 


Definition: A set X of formulae expresses a second set Y of formulae if and only if for every formula p 
€ ¥ there is a formula g € Ysuch that p @ qis valid. The set _X is more expressive than the set Yif 
and only if X expresses Y but Y does not express X. 


The following theorems rank delta-converse-PDL and some of its sublogics with respect to expressive 
power. Theorem 2.1, due to Fischer and Ladner, establishes a property of PDL and converse-PDL 
formulae which Theorems 2.2 and 2.3 show is not shared by all delta-PDL and delta-converse-PDL 
formulae. We conclude that delta-PDL is more expressive than PDL, that delta-converse- PDL is more 
expressive than either delta-PDL or converse-PDL, and that converse-PDL does not express delta- 
PDL. Finally, Theorem 2.4 shows that converse-PDL is more expressive than PDL and that delta-PDL 
does not express converse-PDL, so that converse-PDL and delta-PDL are incomparable in expressive 
power. 


Theorem 2.1 [5]: Converse-PDL (and hence also PDL) satisfies the collapsing finite model property: 
every model of a formula cannot be collapsed to a finite model by identifying states. The resulting 
finite model has at most 2” states, where nis the length of the formula. 


Theorem 2.2: Delta-PDL does not satisfy the collapsing finite model property; there is a formula with 
an infinite model which cannot be collapsed to a finite structure without altering the truth value of the 
formula at some state, 


Proof: Consider an infinite structure S with an infinite reverse A-chain (ic., a sequence {u,} 59 
of states such that u nel® A> s¥, for all n), but no infinite forward A-chains (i.e., sequences 
{Uj} p> Of states such that u,<A> ~u_,, for all n). Then for every state u along the reverse A- 
chain, uF, 7AA. However, S cannot be collapsed to a finite structure 7 without identifying 
two distinct states, u and v say, on the chain. If w is the collapse of uw and v in 7, then 


w< A; A*> ow, and hence w Fr, AA. J 


Theorem 2.3: Delta-converse-PDL does not satisfy the finite model property; there is a Satisfiable 
formula which is not satisfied in any finite model. 


Proof. Consider the satisfiable formula AA & —KADA(A ). If uF, AA& —KADA(A ), 
then uF, AA and uy Fo —<A*>A(A_). Hence there is an infinite A-chain Ups A? oy * ** 
uA? ou If u, = u, for any i< j, then u; Fy A(A_) and so uw Fy. <AMA(A ), a 


contradiction. So all the uw, are distinct. Hence, AA & =<A*>A(A_) is satisfiable only in 
infinite models. J 


ntl 
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Proof. A straightforward extension of the preceding proof. & 


Theorem 5.7: Given a delta-converse-PDL formula p of length k, there is a deterministic two-way 
tree automaton A, which accepts exactly the images for p. Further, A f need have no more than 
O(exp exp k) states and can be constructed in time O(exp exp 4). 


Proof. By Lemma 5.5, it is sufficient to construct an automaton accepting exactly the N+1-ary 2S 
trees satisfying the conditions (1)-(7), where N < k is the number of diamond subformulae of p. 
It is straightforward to construct an automaton B with four states (two start states, an accepting 
state, and a failure state) which accepts exactly the trees satisfying conditions (1), (2), (5), and (6). 


For 1 <n <N, let A, be a deterministic automaton on finite strings which accepts the regular set 
C(a,:9,’). The A,’s can be constructed to have no more than O(exp k) states. Let C, be an 
automaton on infinite trees which, for every node x in the tree labelled with <a,>q,, runs the 
automaton A, down the path x;{xn0""} m>o looking for an initial segment which the program 
ann? fits. Let D,, be an automaton on ‘infinite trees which, for every node x in the tree not 
labelled with <a,>q,, runs the automaton A, down every path starting with x, rejecting the tree if 
a,9,) fits any finite path starting with x. The C,’s and D,’s can be constructed to have no more 
than O(exp &) states. 


Given a deterministic m state automaton recognizing a regular set XY not containing the empty 
string, there is a construction, due to McNaughton [9], of a deterministic automaton on infinite 
strings, with no more than O(exp m) states, which accepts exactly the infinite strings not in x". 
For Aa € chp), let E, be the result of applying McNaughton’s construction to a deterministic 
automaton accepting {y9b, ‘°° bn, € Cla) | k > 1}. Let F, be an automaton on infinite trees 
which, for every node x not labelled with Aa, runs the automaton EF . down every path from x in 
order to reject any tree containing a path from x which a repeatedly fits. F can be constructed to 
have no more than O(exp exp 4) states. 


Finally, the automaton B and the C's, Ds, and Fis can be combined in a cross-product 
construction to yield the desired A, A, has no more than O(exp exp k) states and can be 
constructed in time O(exp exp 4). | 


Theorem 5.8: The satisfiability problem for delta-converse-PDL is decidable in time Olexp® k), 
where k is the length of the formula tested. 


Proof. Given a formula p of length k, Theorem 5.7 constructs a two-way automaton A. on infinite 
N-+1-ary trees with no more than O(exp exp &) states such that A, accepts some tree if and only if 
p is satisfiable. By Theorem 5.10, there is an equivalent one-way automaton B on infinite N+ ]-ary 
trees with no more than O(exp® &) states. It is straightforward to construct a one-way automaton 
C on infinite binary trees with no more than O(NV+1 exp® k) = O(exp® k) states, whose emptiness 
problem is equivalent to B’s. The emptiness problem for one-way automata on infinite binary 
trees is decidable in time Ofexp exp mm), where mi is the number of states [8, 18]. Therefore, de/ta- 
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We shall prove later (see Lemma 5.3) that delta-converse-PDL satisfies a tree model property; every 
satisfiable delta-converse-PDL formula has a tree model. For delta-PDL a stronger property holds: 
every Satisfiable delta-PDL formula has a one-way tree model (see Corollary 5.4). 


Theorem 2.4: Converse-PDL (and hence also delta-converse-PDL) does not satisfy the one-way tree 
model property; there is a satisfiable converseePDL formula which is not satisfied in any one-way 


tree model. 


Proof: Consider the satisfiable formula P & <A>XA>—P. Suppose u sP& <A>XA >—P, where 
S is a one-way tree model. Then u & s P and there is an immediate successor v of u such that 


vy, <A >—P, so that there must be a state w such that w<A> ov and wk, 4P. Since S is a 
one-way tree model, w must be the parent of y, so w = u. But this is impossible, since we have 
uF, Pand wey, TP. 8 


The remainder of this chapter relates the expressive power of delta-PDL to that of two other 
propositional logics of programs: the Propositional Algorithmic Logic (PAL) of Mirkowska [12] and 
the Unified Temporal Logic of Branching Time (UB) of Ben-Ari, Manna, and Pnueli [1]. UB is an 
intensional logic of programs, as opposed to PDL and PAL, which are extensional. Programs 
appear explicitly in the formulae of PDL and PAL, and different formulae can refer to completely 
different programs. The formulae of a temporal logic do not explicitly refer to programs; rather, 
every formula is taken to refer to a single program, which is fixed by the choice of a UB-structure. 


Definition. The formulae, IIp7,, of UB, are defined inductively as follows: 


() No © NWyg 
(2) If p gq € IWyp then —p, p V g 3Xp, Alp, JGp € yp, 


Definition. A UB-structure is a tuple S = <U, F., => where U is a set of states, Fg is a 
satisfiability relation on the atomic propositions, and =>, is a fotal binary relation on U (i.e., for 
every state u there is at least one state v such that u >> v). 


Definition: Given a UB-structure S = <U, Fy, => sy» Fg can be extended to all UB formulae as 
follows. . 


(l) u Fy Mp iff not u Foy p. 

(2)u Fy p V q iff uF, p or u Fg ¢ 

(3) u Fy AXp iff dy u =, v and vy Fo p. 

(4) u Fy 4rp iff du u = * v and v Fo p 

(5) uF, 3Gp iff there is an infinite sequence {ub >09 of states such that uy = u and 
for all x, u, Fes p and u, = 5 Una y: 


The logic UB is a temporal logic of discrete branching time; given a program a, the binary relation 


= ¢ felates computation states at-time # to possible computation states at the next time 7 + 1. 
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(2) if x,,, is the predecessor of x, then the inverse of 5, “a € Ax). 


Remark: A program a fits a singleton path x if and only if there is a compressed execution 
sequence 9 € C(a), consisting of a single set of subformulae of p, such that y C fx). If fis the 
image of a one-way scheme and if a is a converse-free program, then a can fit only forward paths 
and only condition (1) is needed to determine the forward paths which a fits. 


Definition: Given a x, -tree f/ a program a repeatedly fits an infinite path {x ni n>0 if and only if 
there is a infinite, sigeaiig sequence of indices Pipe such that i) = 0 and a fits ie bi <rsi i 
for j > 1 


Lemma 5.5: A 2 tree f is an image for p if and only if the following conditions are satisfied. 


(1) p € fA). 
(2) for 4g € cKp), Tq € fx) if and only if gq € fx). 


(3) if <a,>g, € Ax), then there is an initial segment @ of the infinite path x;{xn0},59 such 
that a3q,? fits a. 


(4) if <a>q, € Ax), then forall finite paths @ starting at x, a39,) does not fit 7. 
(5) for Aa € chp), Aa € fx) if and only if <mAa E€ fx). 
(6) for Aa € cXp), if a fits the singleton path x, then Aa € f(x). 


(7) for Aa € cKp), if Aa € Ax), then for all infinite paths a starting at x, a does not 
Tepeatedly fit a. 


Proof: We leave it to the reader to verify that an image for p satisfies (1) - (7). Conversely, given 
a N+l-ary 2, tree f satisfying (1) - (7), we can define a two-way tree structure S = <Ty 1, Fy, 
<> > by letting x Fo P iff P € fx) and x <A> cy iff either y is a successor of x and A € Ax) ory 


is the predecessor of x and A € fx). The reader can verify that fis the image of S. We 
proceed, using structural induction on formulae and conditions (2) - (7), to establish that for all x 
€ Ty,, and q € chp), x Fy gq iff q € fx). 


If g is an atomic subformula P, then x Fy P iff P € fx) follows from the definition of S. If q is 
a negated subformula —r, then x 5 ae iff sr € fx) follows from condition (2). If q is a 
diamond subformula <a,>q,, then (x FF, <a,>q,) > (a,>4, € Ax)) follows from condition (4), 
and (<a,>q, € Ax)) 7 (x F 5 <4,>4,) failéae from condition (3). If g is a delta subformula Aa, 
then (x Fy Aa) > (Aa € fw) follows from conditions (4), (6), and (7), and (Aa € f(x) — (x 
Fs Aa) follows from conditions (3) and (5). By condition (1), A F gs P, and by condition (3), for 
lens N,ifx Fy <a>q,, then ay xc y< xn0™ & x<a,:q,)? sy. Hence S is a scheme for p. 
| 


Corollary 5.6: If p is a delta-PDL formula, then a 2 tree fis a one-way image for p if and only if 
conditions (1) - (7) above are satisfied and, for all x, f(x) contains no negative literals. 


i] 


The formula 3Xp is true in a state at time / if that state can become, at time ¢ + 1, a State in 
which p is true. The formula 4/p is true in a state at time / if that state is or can become, at some 
later time ¢ + n, a State in which p is true. The formula JGp is true in a state at time / if from — 
that state there is an infinite sequence of successive states in which p is true. We can define three 
dual formulae: V Xp = g TIX VEp = gp Ap, and WGp = g 13G7p. The formula V Xp 
is true in a state if p is true in all possible next states. The formula V/p is true in a state if p is 
true in that state and in all possible future states. The formula VGp is true in a state if, from that 
State, every chain of successive states contains a state in which p is true. 


Definition: Let A be a fixed atomic program. Let ¢: Il,p, > TI be a translation defined as 
follows. 


() Pt = P 
(2) ("p)t = “OT) 
3) @ V got = @Tt V aft) 


(4) (AXp)f = <Ar%(pT) 
(5) (AFp)t = <A*> (pT) 
(6) (AGp)f = A((—PT)?:A) 


Definition: If S = <U, Fo => > is a UB-structure, then let St = <U, st, <7 4? be any 
structure in which F st = Fo and <A? ot = =>. 


Theorem 2.5: UB is embeddable in delta-PDL; if p is a UB formula satisfied at a state uv in a UB- 
structure S, then u st pt. Further, p has a UB-model if and only if [A*}«ADirue & pT is 
satisfiable. . ; 


Proof. By structural induction on formulae. IJ 


Propositional Algorithmic Logic is very similar to PDL. One major difference is that the semantics 
of programs in PAL is defined in terms of computation sequences rather than binary relations as 
in PDL (one might say that PAL has an operational semantics and PDL a denotational semantics). 
The other major difference is that PAL contains a powerful total correctness assertion for 
nondeterministic programs, K1(a)p, which is true when every execution sequence of a terminates in 
a state in which p is true. Since the truth value of D(a)p depends on the presence or absence of 
nonterminating execution sequences of a, PDL does not express PAL. Delta-PDL, however, does 
express PAL. 
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arbitrarily. Finally, given p, define a structure 7 = <Ty 4, Fy, <>-> by letting x F, P if and 
only if p(x) Fe, P and letting x< A>,» if and only if x and y are neighbors and p(x)< A> 5P0). 
By construction T is a scheme for p. & 


Corollary 5.4: Every satisfiable delta-PDL formula has a one-way scheme. 


Proof. Given a satisfiable delta-PDL formula p, construct the map as in the proceeding proof, 
but define T = <Ty 1, Fp <> by letting x F, P if and only if p(x) F. P and letting 
x< A? ry if and only if y is a successor of x and y(x)< A> py). By construction 7 is a one-way 


scheme for p. If 


Schemes are easily transformed into trees suitable for input to automata on infinite trees. 
The trees obtained in this way are automaton recognizable; this fact leads immediately to decision 
procedures for delta-PDL and delta-converse-PDL. 


Definition: If p is a delta-converse-PDL formula, i, denotes the set of literals appearing in p. Let 
2, = Powerse(cKp) U II p 


Definition: Given a scheme S = <Ty,, p Fg for a delta-converse-PDL formula p, the image 
of S is the N+1-ary x tree f such that for all x € Ty,4, Ax) = {¢ € chp) |x Fs gt U{a€ 
Il, | »<a> x where y is the predecessor of x}. An image for p is an image of a scheme for p. 


Remark: If the scheme S is one-way and if f is the image of S, then for all x, fx) contains no 
negative literals. 


It is technically convenient to define a version of execution sequences in which all 
subsequences of tests are compressed into single sets of formulae. Note that it is no more difficult 
for a finite automaton to recognize the compressed execution sequences of a program than the 
ordinary execution sequences: if the latter set is accepted by a n state automaton on finite strings, 
then so is the former. 


Definition: Given a formula p, a compressed (with respect to p) execution sequence is a sequence 


19°19] °° 1,-12,9,, Of alternating literals and sets of subformulae of p, beginning and ending with 


sets. The set of compressed execution sequences for a program a is C(a) = {19b\0) °°” 14-1971, | 
there exists qq)? °° Gay??? ene Nk, cme) aaa Ink,” € La), where each 8; is a 
literal, such that n, = {g,,-... 4,3, for 0 < i < nh. 

i 


Definition: Given a 2X uee fi a program a fits a path w = {x}j<,<, if and only if there is an 


compressed execution sequence 49h), °° 7,75,n, © La) such that for 0 < i< n,n, © Ax) and 
for 0 < i ¢ a, 


(1) if x;,, is a successor of x, then 6,,, € Ax;,})- 
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Definition: The set of programs, IT pap: and the set of formulae, ®p,7, of PAL are defined 
inductively as follows. , 


Tar: Q) My © Mpg, 
2) Ifa bE py, then a;b, aUb, a* € Npar 


(3) If p € @p,, and a, b € Wyp,,, then p?, if p then a else 6, 
while p do a € Wpy, 


(1) ®% © Pay, 
(2) If p g € ®py,, then Tp € ©,,, 
(3) If a € Wp, and p € ®,,,, then O(a)p, Ofalp € Op, 


PAL’ 


Definition: If S is a structure, then a configuration is a pair <u, >, where u is a state of S and a 
= <a),..., a i8 a (possibly empty) sequence of programs. The configuration <u, a> is final if 
and only if @w is empty. 


Definition: Given a structure S, = y can be extended to arbitrary PAL formulae and a binary 
relation => , on configurations can be defined as follows. If <u, 7> => <* <v, 7>, then we say that 
<u, > yields <v, 7>. If <u, m> is not final and in addition there is no configuration <v, +> such 
that <4 a> =>, <v, 7, then <u, m> is a failing configuration. 


Ql) u Fy, “4p iff not u Feo p. 


(2) u Fy Ofa)p iff <u, <a p> yields a final configuration. 


(3) uF, O(a)p iff <u, <a, p?>> yields neither a failing configuration nor an infinite 
chain of configurations. 


(4) <u, <A, a, .. +, aD =o <y, ne a,>> iff us A? ov. 

(5) <u <aib a, ..., a> 5 Su <a ba, ..., ap>. 

(6) <u, <aUb a, ..., a> =o tu <Ga,..., a> iffe = aore = Bb. 

OY: GOP Ge 8 ex URE Riu arin DDS: 

(8) <u, <a*, - a), 1+ 5 A> =o <u, <a, a‘, lips ey a>. 

(9) <u <p, a... , aD> => Mu <a, ... , a> iff u Fy p. 

(10) <u, <if p then a else b, a... , ap? => <u <G a, ..., a> iff either 
u Fy, p and ¢c = a or u Fy “4p andec = &, 

(11) <u, <while p do a, Gy, = + + 5 A? Py <u, <q), -- +, ap? iff u F p. 

(12) <u, <while p do a, re a,>> >> <u, <a, while p doa a,..., a,>> iff 


u Fo sp. 
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Definition: If a is a delta-converse-PDL program, then L{a), the set of execution sequences of a, is 
defined inductively as follows: 


(1) L(A) = {A} 

(2) L(a;b) = L{a);L(b) 

(3) L(aUb) = L(a) U Lhd) 
(4) Lta*) = (L{a))* 

(S) L(q?) = {q} 

(6) L(A) = {4} 

(7) L{a.b)) = L(b;a) 

(8) L((aUb)) = L(a@ U 6b) 
(9) L(a*)) = L((a)*) 
(10) Lg?)) = {q} 

(ll) L(a)) = Li) 


Lemma 5.2: For all structures S = <U, & 9 <> : and programs a, u<a> sv if and only if there is 
an execution sequence b, - - - b, € L(a) and a sequence of states {u,}y<,<, Such that uy = u, 
u, = v and usb, rou, for 0 Sn k 


Proof. By structural induction on programs. If 


If p is a satisfiable delta-converse-PDL formula, Theorem 5.3 shows that p has a special tree 
model, called a scheme, which is easily transformed into a tree suitable as input to a two-way 
automaton. A scheme is a tree structure in which p is satisfied at the root and diamond 
subformulae of p are satisfied along specific paths. If p is converse-free, i.e., a delta-PDL formula, 
then Corollary 5.4 shows that p has a one-way scheme, i.e., a scheme which is a one-way tree 
structure. 

Definition: If p is a delta-converse-PDL formula with diamond subformulae <a,>q, ,.. . , <a> yy 
then a scheme for p is a tree structure S = <Ty,1, Fg, <?..> such that A F, p and for all states 
. CO : 

x, if x Fey <a>q, then ay x Sy < xn & xXa59,2> yp. 


Theorem 5.3: Every satisfiable delta-converse-PDL formula has a scheme. 


Proof: Suppose uy Fg p, where S = <U, Fy, <>.>. We construct a a map p: Ty,, 7 U 
inductively as follows. Let p(A) = up. Inductively, if x is in V and (x) = u, then we consider, 
for each n, whether u & 5 <a,>4,- If not, let p(xn0”) be arbitrary for all m. If so, then there is a 
state vy such that u<a.3q,2?<v. By Lemma 5.2, there is a sequence of states {u}jejc, and an 


execution sequence 6} «°° by € I(a,5q,2) such that uy = u, u, = y, and and USB. Hig 
for 0 << i¢< k. Let m be the number of literals in 5 pees by. For] <i < m, let p(xn0"!) = 


Up where / is the index of the i Jiteral in b, ny ot by. or 7 > m, Iet pixn0"!) be chosen 
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Remark: Note that O(a)p and Ci(a)p are not dual to one another, i.e, O(a)p is not equivalent to 
—“O(a)7p. Note also that D(if p then a else b)q is sometimes true and sometimes false, but that 
Ci((p?;a)U(p?;b))q is always false, since 

<u, <((p?;a)U(p?;b));g?>> yields <u, <p?, a, g?>> and <u, <p?, a, g?>>, one of which must be a 
failing configuration. Hence if p then a else b cannot be defined, in PAL, to be an abbreviation of 
(p?;a)U(—p?;5). Similarly, while p do a cannot be defined, in PAL, to be an abbreviation of 


(p?;a*);p?. 
Definition. For each PAL program a, define a PAL formula fail(a)) as follows. 


(1) fai(A) = 710(A)true 

(2) faika;b) = faia) V (a)faikb) 

(3) faikaUb) = faika) V faikb) 

(4) faika*) = O(a*)faila) 

(5) faillp?) = —p 

(6) faikif p then a else b) = (p & failla)) V (7p & faikb)) ° 
(7) faikwhile p do a) = O((p?;a)*\p & failka)) 


Lemma 2.6: For all structures S, states u, and PAL programs a, u F, fail(a) if and only if 
<u, <a> yields a failing configuration. 


Proof. By structural induction on programs. § 


Definition: et $ be a translation from PAL formulae and programs to delta-PDL formulae and 
programs defined as follows. 


(1) P= = P 

(2) (4p)t = TPF) . 

(3) (O(ap)t = <at>(pF) 

(4) (O(@)p)t = WCJaikap))$ V (a¥)) 
(S) Af = A 

(6) (a;b)£ = (a¥):(b¥) 

(7) (aUd)E = (a$)U(bF) 

(8) (a*)£ =, (at)* 

(9) (p)E = (pt)? 

(10) (if p then a else by) = if pt then ak else bt 
(11) (while p do a)$ = while pt do at 


5__ Satisfiability and Finite Models 


In this chapter the automata theoretic results of the previous two chapters are used to 
obtain decision procedures for delta-PDL and delta-converse-PDL. The notion of a finitely 
generable tree is then employed to establish a finite model theorem for delta-PDL and a finite 
representation theorem for delta-converse-PDL. First, however, we precisely define the informal 
notions of the subformulae of a formula and the execution sequences of a program. 


Definition: If p is a delta-converse-PDL formula, then cXp), the Fischer Ladner closure of p, is the 


least set of formulae such that 


(1) p € chp) 

(2) if —q € cKp), then gq € cKp) 

(3) if <A>q € chp) or <A gq E cKp), then g € cKp) 
(4) if <a:b>g € chp), then <a<b>q E€ cKp) 

(5) if <(a;b) >q € cKp), then <b sa >q € cKp) 
(6) if <aUb>g € cKp), then <@gq <Dq E cKp) 
(7) if <(aUb) >q € cKp), then <a Ub gq € cKp) 
(8) if <a*>q € chp), then g, <a@<a*>q E cKp) 

(9) if <(a*) >q € cKp), then “(a )*>q E cp) 
(10) if <r>q € chp), then r gq € cKp) 

(11) if <(?) >q € cKp), then <q € cKp) 
(12) if Aa € -cKp), then <aAa E€ cKp) 


Lemma 5.1: If p is a delta-converse-PDL formula of length n, then cKp) contains at most n 
formulae. 


Proof: A straightforward extension of the corresponding proof for PDL [7]. & 


Definition: The elements of cKp) are called the subformulae of p; this can be misleading, since 
<a><a*>q and <a>Aa are, by the above definition, subformulae of <a*>g and Aa respectively. A 
subformula of p of the form <q@q is called a diamond subformula of p. 


Definition: Abusing predicate calculus terminology, we define a /iteral to be either an atomic 
program or the converse of an atomic program. Atomic programs will sometimes be called positive 


literals and converses of atomic programs negative literals. The inverse of a positive literal A is A 


; the inverse of a negative literal A is A. 


Programs in delta-converse-PDI. are extended regular expressions over literals and tests, so 


cach program denotes a regular set, the set of its execution sequences. 


Lemma 2.7: For all structures S, states u of S, and PAL programs a, <u, <a>> yields <v, ©> if and 
only u<at> vy. . 


Proof: By structural induction on programs. 8 


Lemma 2.8: For all structures S; states u of S, and PAL programs a, <u, <a> yields an infinite 
chain if and only vw b=, 0O(af). 


Proof: By structural induction on programs. & 


Theorem 2.9: PAL is embeddable in delta-PDL, ic. for all structures S, states u of S, and PAL 
formulae p, u k=, p if and only u my pt. 


Proof: Follows directly from Lemmas 26, 2.7, and 28 8 
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Proof: It is easy to construct, in time O(exp exp m), a one-way automaton C, with no more than 
O(exp exp m) states, which accepts an infinite (Z x C s) tree fx g exactly when g is a plan for f It 
is straightforward to construct, also in time O(exp exp m), a nondeterministic automaton D on 
infinite strings, with no more than O(exp exp m) states, which, when run along an infinite forward 
path of an infinite N-ary Ctree g, accepts exactly when that path violates either of the two 
conditions for goodness. McNaughton gives a construction which, given a nondeterministic 
automaton on infinite strings with & states, produces, in time O(exp exp k), a deterministic 
automaton on infinite strings, with no more than O(exp exp k) states, which accepts exactly the 
complement of the set of strings accepted by the original automaton [9]. Let EF be the result of 
applying McNaughton’s construction to D; let F be that automaton on infinite trees which runs E 
down every infinite forward path, so that F accepts g exactly when g is good. Finally, the desired 
automaton B, given an input tree f 7, > 2%, nondeterministically guesses a map g: Ty 7 Cs 
while simultaneously running the automata C on fx g and Fon g. By Lemmas 4.4 and 4.9, A 
and B accept the same trees. The automaton B has no more than O(exp* m) states and can be 
constructed from A in time O(exp4 m). I 
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3__One-Way Automata on Infinite Trees 


Automata on infinite trees, called one-way automata in this chapter to distinguish them 
from the two-way automata defined in the next chapter, have been extensively studied [8, 18, 19]. 
We briefly review the fundamental definitions and theorems. 


Definition: The set Ty = {0, 1, ..., N-1}* of strings of the first N nonnegative integers can be 
viewed as an infinite N-ary tree, in which the empty string A is the root and each string (or node) 
x € Ty has as its successors the strings x0,..., x(N-1). The descendant relation is the reflexive 
transitive closure of the successor relation; we write y > x when y is a descendant of x 
(alternatively, we can write x < y and say that x is an ancestor of y). 


Definition. A finite (infinite) forward path through Ty is a finite (infinite) sequence a = {x,} of 
elements of 7, such that for all n, x,,, is a successor of x,. 


Definition. If X is a finite alphabet, then an infinite N-ary X-tree is a function Tg Be 


Definition: A (nondeterministic) one-way automaton A on infinite N-ary Z-trees is a tuple 
<S, s, M, G> where 


S is the set of states. 

s € S is the initial state. 

M: S x & — Powerse(S%) is the next state function. 
G C Powerset(S) is a set of accepting subsets. 


Definition: A run of A on an infinite N-ary Z-tree fis a function p: Ty, > S such that p(A) =s 
and for all x € Ty, <p(xO0), .. . , p(x{n-l)> € M(p(x), fx). 


Definition: If p is a run of A on f and q is an infinite forward path, then /nfp, 7) = 
{q € S | p(x) = q for infinitely; many x on mq}. 


Definition: An automaton A accepts an infinite N-ary =-tree fif and only if there is a run p of A 
on f such that for all infinite forward paths 7, Infp, m) € G. 


Theorem 3.1: The emptiness problem for an N-ary infinite tree automaton A with m states, i-e., the 
problem of deciding whether or not A accepts any tree at all, can be decided in time 
O(exp exp mN). 


Proof. Given an m state automaton on infinite N-ary trees, it is a straightforward exercise to 
construct an O(mWN) state automaton on infinite binary trees, such that the two automata have 
equivalent emptiness problems. Hossley and Rackoff [8] give a decision procedure for the 
emptiness problem for automata on infinite binary trees which runs in time O(exp exp n), where a 


is the number of states of the automaton tested. 


these two circuits (since Y, Z # @, the loops cannot be singletons). The required loop for the join 
is x:o0;x;7;x. In the case of rule (5), <s, X, © is the expansion of a circuit <4 Y, w € Emin)» 
where y is a neighbor of x. Inductively, there is a loop w on y for <t Y, u>. The required loop 
for the expansion is xj7;x IJ 


Lemma 4.8: For all paths 1:7 ending in a loop w on x, p(r;x | tim) € g(x). 


Proof. By induction on the length of 7. Let s = p(r;x). If a is the singleton x, then by Lemma 
4.6, p(r;x | t:7) = <> € g(x). If m = x;psx where p is a loop on a neighbor y of x, then 
inductively, p(rsx;y | rixsp) € Emin). Then, by rule (5) for plans, p(73x | t:x57) € g(x). If p 
is not a loop, then by Lemma 4.1, » contains x, ie. p = pix;y. Inductively, p(t;x | 75x52), 
p(t:x,p;x | tia) € g(x). Then, by rule (4) for plans, p(r:x | t:7) € g(x) 0 
Lemma 4.9: The automaton A accepts an infinite tree fif and only if the minimal plan g,,, for A 
on f is good. 


Proof. First, suppose A does not accept f Then there is an infinite path w such that /nffp, 7) € 
G, where p is the run of A on f’ If a is cyclic on x, then 7 = pwio;7 where o is a loop on x and 
p(u:x) = p(uro) € p(u:x, wc) = Infp, 7). Then, by Lemma 4.8, p(u:x | pio) € Smirk), Where 
p(usx) € p(usx, pio) € G, so g,. is not good. If, on the other hand, w is acyclic, then by 
Lemma 4.2 there is an infinite forward path {x,} such that 7 = o;79;... 57,3 ..-, where each 
7, 18 a loop on x, Let { = {p(7,; Bere en eee 37, )}2>0- We leave it to the reader to 
show that ¢ is a series for g_,, on {x,}, but that Sum({) € G, so that Emin 8 Not good. 


Conversely, suppose that g, is not good. Then either there is a node x and a circuit <s, XY, > € 
&mintX) Such that s € X € G or there is an infinite forward path {x,} and a series { = {<s,, X, 
tpt for g min ON 1X,} such that Sum({) € G. If the first case holds, then by Lemma 4.7, there is a 
loop x;2;x such that for all paths + ending in x, if p(r) = s, then p(r, t:a7:x) = X and p(t;7;x) 
= s. By Lemma 4.5, there is a path + ending in x such that p(r) = s. Let p = riaixjaixja3x; * 
* + We leave it to the reader to show that A rejects f because Infp, ») = X € G. If the the 
second case holds, then, by Lemma.4.5, there is an infinite path p = Tif such that for all n, 


€ G, so that A rejects f in this case also. & 


Definition: If fis an infinite N-ary Z)-tree and g is an infinite N-ary 2,-tree, then the product tree 
f x g is an infinite N-ary (2) x %,)-tree defined by (f x g)(x) = <Ax), ax). 


Theorem 4.10: Given a deterministic two-way automaton A with m states, there is a 
nondcterministic one way automaton B with no more than Olexp4 nt) States which accepts exactly 


the trees accepted by A. Further, B&B can be constructed in time O(exp4 m). 
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The decision procedure for the emptiness problem depends crucially on the fact that every 
nonempty set of trees accepted by an automaton contains a finitely generable tree, ie., a tree 
obtained by unwinding a finite graph. In chapter 5 we will use this fact to establish a finite © 
model property for delta-PDL and a finite representation property for delta-converse-PDL. 


Definition: A frontier of Ty, is a maximal incomparable subset X of Ty, i.e., a subset X such that 
every element of T is either a descendant or an ancestor of some member of XY, but no member of 
X is the descendant of any other member of X. 


Definition: A finite subtree of Ty, is a subset T of Ty, such that T = {x € Ty | x < y for some 
y € X}, where X is a frontier. The frontier of 7, fron{T), is X, and the interior of T, in(T), is 
T — front(T). A finite N-ary X-tree is a map ff T — 2%, where T is a finite subtree of Ty. 


Definition: Given an automaton A on infinite N-ary Z-trees and a finite N-ary Z-tree f T— 2, a 
run of A on fis a function p: T — S such that p(A) = s and for all x € in{T), <p(2x0),..., 


p(x{r-1))> € M(p(x), A029). 


Definition: A generating map for a finite subtree T of T,, is a function J: front((T) — int(T). Every 
generating map defines a unique function *: T,, ~ T as follows: 


Ih) =. AK. 
J*(xn) Jen if J*(x) € intT), 
KAP (x))n_ if FO) € front(T). 


Definition: An infinite Z-tree fis finitely generable if and only if there is a finite subtree 7 of Ty, 
and a generating: map J such that f = fo J. 


Theorem 3.2 [8, 19]: If an automaton accepts at least one tree, then it accepts a finitely generable 
tree. 


Below we present an alternative formulation of automata on infinite trees. Pairs automata are 
equivalent to ordinary automata in the following sense: for every ordinary automaton, there is a 
pairs automaton which accepts exactly the same trees, and conversely. 


Definition: 1f 2 = {<L,, UD}, <y<x iS a finite sequence of pairs of subsets of some set S, then 
let Fo = (XO S|XOL, = B&NNU, # @ for some n}. Let Ga = Powerse('S)~ Fg 
={X¥ OC S|XNU,# 6 —->XOL, # ®@ for all n }. Note that Gp is closed under unions, 
ne, if X, ¥ € Go, then ¥ U Y € Go. 


Definition: A pairs automaton [8, 18, 19] A is a tuple <S, s, Af, Q>, where S, s, and Af ‘are defined 
as for an ordinary automaton and Q = i<L UD <n is a finite sequence of pairs of subsets 
of S.A run of A on a tree fis defined exactly as for an ordinary automaton, ‘The pairs 


automaton A accepts f if and only if there is a run p of A on f such that for all infinite forward 
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infinite paths. A circuit of the form <s, ¥, s> with s € X indicates that A can cycle endlessly 
through the set Y of states while travelling over a cyclic path, while a series describes the state 
history of A on an acyclic path. Lemma 4.9 will show that the minimal plan g,,, for A on f is 
good exactly when A accepts f Note that goodness is preserved under inclusion, ie., if g and h 
are two infinite N-ary Cy-trees such that h is good and Vx € Ty. ax) € A(x), then g is good. 
The Iemma below follows immediately. 

Lemma 4.4: There is a good plan for A on f if and only if g,. is good. 

min 18 included in every plan for A on f, so &min Must be good if any 
plan for A on f is good if 


Proof. The minimal plan g 


The next series of lemmas show that the minimal plan g_,, contains precisely the circuits 
for all loops. 


Lemma 4.5: For all x € Ty, if <s, X, OD € g, (0), then there is a path 7 ending in x such that 
p(7) = 5. 


Proof. If <s, X, D € g(x) then there must be a derivation of this fact by rules (1) - (5) for plans. 
We proceed by induction on the structure of derivations. For case (1), the required path is the 
singleton x. If <s> € g(x) by mule (3), then there is a circuit <D € g,.{y), where ¢ = MAb 
Ay)) and y is the n" neighbor of x. By induction there is a path + ending in y such that p(t) = 1 
The required path for <s> is r;x. Similarly for case (2). If <s, X, DE & min) by rule (4), then 
there is a circuit <s ¥,  € g(x) such that Y U {u} € X. By induction there is a path 7 
ending in x such that p(w) = s. If <s X, D € g(x) by rule (5), then <> € g(x). By 
induction there is a path w ending in x such that p(w) = s 1 


Lemma 4.6: For all x € 7), and for all paths w ending in x, <p(7)> € g(x). 


Proof: We proceed by induction on the length of paths. If m is a singleton, then p(7) = sp and 
5g? © 8 nifX) by rule (1). If #7 = rin, where 7 ends in A, then p(z) = L,(p(r), AA)) and 
<p(m)> € g(x) by rule (2). Finally, if w = 15x, where + ends in y # A and x is the nth 
neighbor of y, then p(x) = M,(p(r), Ay)) and <p(s)> € gninix) by rule (3). 


Lemma 4.7: For all x € Ty, if <s X, DE & mink) then there is a loop m7 on x such that for all 
paths of the form t:m, if p(r;x) = s then p(t;x, 7:7) = X and p(ti7) = 1 


Proof: If <s, X, D € g,,.,(x) then there must be a derivation of this fact by rules (1) - (5) for plans. 
We proceed by induction on the structure of derivations. For the cases (1) - (3), the required loop 
mint *) 
(x), such that ¥) Z # @. Inductively. there are loops x;o1x. and x:tzx for 


is the singleton x. In the case of rule (4), <s, A. PD is the join of two circuits <4 ¥, w € g 
and <v, 7, > € zg 


min 
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paths a, Inffp, 7) € Fo (ie, € Go). 


Pairs automata as defined above will not be used in this thesis. However, by reversing the 
standard definition of acceptance, we obtain a new type of automaton, the complemented pairs 
automaton. In chapter 5 we will use complemented pairs automata to decide the satisfiability of 
delta-PDL formulae. 


Definition. A complemented pairs automaton A is a tuple <S, s, M, Q>, where S, 5 M, and Q = 
{<L,, U wyi< n<k are defined as for a pairs automaton. A run of A on a tree fis defined exactly 
as for a pairs automaton. However, the complemented pairs automaton A accepts f if and only if 
there is a run p of A on fsuch that for all infinite forward paths 7, Inffp, 7) € Go (ie., € Fo). 


The fact that Gg is always closed under unions permits a simplified decision procedure for the 
emptiness problem for complemented pairs automata. The interested reader should compare the 
procedure below with that of Hossley and Rackoff [8] in order to fully appreciate the similarities 
and differences. Note that the running time of the procedure below depends both on the number 
of states and the number of pairs of the automata tested. In chapter 5 we will use complemented 
pairs automata where &, the number of pairs, is O(logm), where m is the number of states. The 
procedure below decides the emptiness problem for such automata in time O(exp m), as opposed 
to time O(exp exp m) for Hossley’s and Rackoffs more general procedure. 


Definition: A string q, °° * g,, € S* is good with respect to a complemented pairs automaton A = 
<S, s, M, Q>-if and only if 3i< mq, = 9g, & {441 -- +> Gt © Go. 


Lemma 3.3. The set of strings which are good with respect to a complemented pairs automaton 
with m states and k pairs is accepted by a deterministic automaton on finite strings of size at worst 
O(exp exp(k+logm)). 


Proof: \t is straightforward to construct a nondeterministic automaton on finite strings, with no 
more than O(m x 24) states, which accepts exactly the good strings. Applying the Rabin-Scott 
powerset construction yields the required deterministic automaton. 


Definition: A finite N-ary Z-tree f T — % is good (with respect to A) if there is a run p of A on f 
such that for all x = n, °° * n,’in the frontier of 7, p(A)p(n,)p(n,n,) °° * p(x) is good. 


Lemma 3.4: The set of good trees for a complemented pairs automaton with m states and & pairs is 
accepted by a deterministic automaton on finite N-ary trees with no more than O(exp 
exp(k+logm)) states. 


Proof: Let B be the deterministic automaton on finite strings guaranteed by the preceding lemma. 
The desired tree automaton, given a tree f simulates A on fin order to construct a run of A on f 
while simultancously using B to check every path of this run. I 
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an automaton, so we abbreviate <s, @, > to <». 


Notation: If p: Py ~ S and +t, 7 € Py, then p(t, 7) = {p(u) | 7 <p < m} and p(t | 7) = 
<p(r), p(t, 7), p(m). 


Definition: Given an automaton A and a tree f, a plan for A on fis an infinite N-ary C,rtree g 
such that for all x € Ty: j 
(1) <sp> E 2x) 
(2) if <> € g(A), then <L(s, fA) € gn); 
(3) if x # A and <s> € g(x) and y is the n™ neighbor of x, then <M AS Ad) € gh) 
(4) if <s, X, D E ox) and <4 Y, wD € ex) with X, Y# SW, then<s YU{H UY WE 
ex), in which case the resulting circuit is called the join of the original two. 
(5) if <s> € g(x), y is the n’* neighbor of x, x is the m” neighbor of y, ¢ = LAs, f(A)) if x 
= A or M,(s, fx) otherwise, v = L(u fA)) ify = A or MCs, fx) otherwise, and 
<4 X, oH € ey), then <s, ¥ U {tu}, wo € efx), in which case the resulting circuit is 
called the expansion of the first one. 


The above five conditions are intended to force a plan to include circuits for all possible 
loops through a trec, but they do not rule out the presence of circuits which do not correspond to 
any loop. It will be shown, however, that the least or minimal plan contains precisely the circuits 
for all loops. 


Lemma 4.3: For each automaton 4 and tree f there is a plan g. for A on f such that for all 


min 
plans g for A on f and nodes x € Ty, g(x) € ax). 


Proof. Define g 


‘min 2S the pointwise intersection of all plans for A on f ot 


Definition: Given a plan g and an infinite forward path {x,}, a series for g on {x,} is an infinite 
sequence of circuits {<s,, X,, {>} such for all n, <s, X, 4 € a(x,) and s,,, = M(t, Ax,)) (or 
Lille AA) if x, = A) if x,,, is the m neighbor of x,. 


Definition: If § is a sequence of circuits, then Sum({) = {s€ S|s € X U {4 u}, for infinitely 
many <4 X, wo on ¢}. 


Definition: An infinite N-ary C.-tree g is good if and only if 


(1) for all x € Ty if <s X¥, D> € ox) and s € Y, then Y EG 


(2) for all infinite forward paths {x,} and series £ = {<s Np tot for g on 1x.t, 
Sunk{) € G. 


The two conditions for goodness correspond to the two forms, cyclic and acyclic, of 
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Corollary 3.5: The goodness problem for a complemented pairs automaton A on infinite N-ary 
trees with m states and k pairs, ie., the problem of deciding whether 4 has a good tree, is 
decidable in time at worst O(N? x exp exp(k+logm). 


Proof. The preceding lemma shows that the goodness problem for A is equivalent to the emptiness 
problem for an automaton 8 on finite N-ary trees of size at worst O(exp exp(k+logm)). It is 
straightforward to construct an automaton C on finite binary trees, of size at worst O(N x exp 
exp(k+logm), such that C and B have equivalent emptiness problems. Rabin [R69] gives a 
decision procedure for the emptiness problem for automata on finite binary trees which runs in 
time O(n*), where n is the number of states of the automaton tested. & 


Theorem 3.6: If A accepts a tree, then A has a good tree. 


Proof: Suppose A accepts the infinite N-ary Z-tree f Let p: Ty — S be an accepting run of A 
on f We claim that for all infinite forward paths a, there is an x = n,*** n, on @ such that 
p(A) - + * p(x) is a good string. For if = {x,},> is an infinite forward path, then X = Inf(p, 
1) € Go. For all n, let g, = p(x,). Let i = min{n | Wm > nq, € X}. Let j = min{n > ilq, 
= 9 & {G.,.5-+-.94,$ = X}. Let x = XX Then p(A)°*** p(x) = % °° 49;° °° 4; With 
G= q and 19), pee 4 qj = X. So p{A) °* * p(x) is a good string. 

Let T= {x € Ty, | Vy < x. p(A) * + p(y) is not good}. We leave it to the reader to establish that 
T is a finite subtree of 7, and that f restricted to T is a good tree. I 


Theorem 3.7: If A has a good tree, then A accepts some tree. 


Proof: Suppose g is a good tree where g: T -» Z and T is a finite subtree of Ty. 


Let o be a run of A on g which makes g good. Then o(A)° ~~: o(x) is a good string for all x € 
front), i.c., there exists a y < x such that if x = yn, °° + n, then o(x) = o(y) and {o(), o(yn)), . 
.+, O(yn, *** 144)} © Gg. Define a generating map J: fron(T) — int(T) by (x) = y. Note that 
for all x € T, J*(x) = x, and that for x € T, J*(x) < x. Define f Ty > Zby f= g°F; ie, f 
is the finitely generable tree generated by g and J. Similarly, extend o to Ty by defining p = o 
o J*, We leave it to the reader to prove that p is a run of A on f 


We claim that p is an accepting run of A on f For suppose 7 = {x,}, 5 is an infinite forward 
path. Let y, = J*(x,) for n > 0 and let Y = Inf*, 7). The interior of 7 is finite, so 37 Y = 
{y, | 1 = i}. Also, by the definition of J and /*, Ym 18 either a successor or an ancestor of y,, 
for all m. Let Z = {y € infT)| zn) < y < z for some z € Y, zn € fron(7), Azn) € Y} = {y 
€ inkT) | Yiu, SY S Vp» for some m > jh. 


We claim that Y = Z. For suppose that y, € Z for some k > i. We shall show that for all m > 
ify, > 3, then y,,,> 3, For suppose y, > y, for some m > i We know that y,,,; is either 


a successor or an ancestor of y. If y,,, is an ancestor of y, then y., <y,, and y, < y,, 


imply that cither y,.) <3, Ory > Jy Buty, Sy, and y, < y,, imply that y, € Z, 
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Definition: A deterministic two-way automaton on infinite N-ary -trees is a tuple A = 
<S, 5 L, M, @, where . 


(1) S is a finite set of states. 
(2) 5, € S is the initial states. 


(3) L: Sx X — SY is the next state map for the root; for s € S and o € &, let L(s o) = 
<L((s o),..., Ly{s o)>. Informally, if A is in state s on the root, labelled o, then A 
will be in state L(s, o) on the node n. 


B3)M: Sx i> SN+1 is the next state map for non-root nodes; for s € S and o € &, let 
Ms, a) =<M)(s, 0), .... M)fs, o)>. Informally, if A is in state s on a node labelled 
o, then A will be in state M(s o) on the n™ neighbor of that node. 


(4) G C Powerset'S) is a collection of acceptable sets of states. Informally, A accepts a 
tree if for every infinite path 7, G contains the set of states entered infinitely often 
along 7. 


Definition. The run of a two-way automaton A on an infinite N-ary Z-tree f is the function 
p: Py — S such that 


(1) If w is a singleton, p(w) = 5, 
(2) If @ is a path ending in A, p(w:n) = L,(p(m), fA). 


(3) If w is a path ending in x # A and y is the n™ neighbor of x, p(aiy) = 
M,{e(7), A). 


Definition: If p is the run of A on f and q is an infinite path, then Inffp, 7) = 
{s € S | p(t) = s for infinitely many finite paths + < }. 


Definition: A two-way automaton A accepts an infinite N-ary Z-tree f if and only if for all infinite 
paths a, Infp, 7) € G, where’p is the mn of A on f£ 


Lemma 4.2 shows that an infinite path w can take only two forms: either a loops endlessly 
on a single node or else w passes through all the nodes of an infinite forward path, looping 
(perhaps trivially) on each one. This suggests that a one-way automata might be able to simulate a 
two-way automata by successively guessing state information about the loops on each node. This 
method of simulation is successful because it is possible for an automaton to check that the guesses 
include information about all possible loops. 


Definition: If S is a set of states, then a circuit is an clement <s, Y, O where 1 € Sand XC S. 
The collection of sets of circuits is denoted by C,. Intuitively, a circuit represents the state history 
of a two-way automata as it passes through a loop: s and 1 are the initial and final states and X is 


the set of intermediate states. A circuit of the form <s, @, s> represents the instantaneous state of 
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contradicting the hypothesis, so y..,; > yy If y,.41 is a successor of y,, then y,.1 > y, also. 


Hence, for all m > i, if y,, > y,, then Ym41> Ye Vherefore, for all m > é ify, > y,, then for all 

I1> m,y,> y, Therefore, if dy € ¥. y > y,, then Vy € Y. y> y,. But y, ,, is either a successor 
or an ancestor of y,. But if y,,, is a successor of y,, then Jy € Y. y > y,, implying Vy € Y. y> 
Yj. implying y, > y,, a contradiction. And if Yx_41 18 an ancestor of y,, then y,,, < y, and y, < 
Jy,» implying y, € Z, contradicting the hypothesis. Therefore, Vk >i y, € Zie, YO Z 


Conversely, suppose that z € Z, but z € Y. Then for some k > i, Yeu S75, But yy) = 
zor y, = z contradicts the hypothesis that z € Y, so Ven © 2 Vy. We shall show that for all m 
> 4 if y,,, > z then y,, > z For suppose y,,,, > z for some m > i We know that y,,, , is 
either a successor or an ancestor of y,. If y,,,1 is a successor of y,, then y,,, > z implies that 
Vm = 2 But y, = z implies that z € Y, contradicting the hypothesis, soy, > z. If y,.1 is an 
ancestor of y,, then y, > z also. 

Hence, for all m > i, ify, ,, > z, then y, > z. Therefore, for all m > i if y,, > z, then fori </ 
< m, y,>z. Since Y = {y|y,, = y for infinitely many m}, if dy € Y. y>z, then Vy € ¥. y > z. 
But yp, ¥y41 © Y yet 4) < 28 Vy a contradiction. Therefore, Z © Y. This concludes the 
proof that Y = Z. 


Hence, Inf(p, 7) = {o%) | y € Y} = {o) ] y € Z} 
= {aly | Int SVS Ie for some m > i} 


= {o() | KAzn) < y < z for some z € Y, zn € fron(T), Azn) € Y} 
U.€ y.2n€ frond T),Men€Y {o0) | Azn) Sy < 2}. 


unions, Inf(p, 7) € Gg. Since Inflp, 7) € Gg for all infinite forward paths 7, p is an accepting 
tun for A on f Therefore A accepts f fl 


By the construction of J, each set {o(y) | Azn) < y < z} € Gg. Since Gog is closed under 


Theorem 3.8: The emptiness problem for complemented pairs automata on infinite N-ary trees with 
m states and k pairs can be decided in time at worst O(N? x exp exp(k+logm)). 


Proof: The two preceding theorems show the equivalence of the emptiness and goodness problems 
for complemented pairs automata. The result follows immediately from Corollary 3.5. Uf 
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4 Two-Way Automata on Infinite Trees 


Analogously to two-way automata on finite strings, we can define two-way automata on 
infinite trees. Two-way automata compute along all infinite paths through a tree, i.e., 
computations begin at all the nodes of the tree and branch in all directions, including back towards 
the root. It is technically convenient to allow two-way automata to distinguish the root from all 
other nodes. Theorem 4.10 shows how to simulate deterministic two-way automata by 
nondeterministic one-way automata; we do not know whether this result can be extended to 
nondeterministic two-way automata. First, however, infinite trees and paths through infinite trees 
are defined, and some simple results proved about the structure of paths. 


Definition: Recall that Ty, is an infinite N-ary tree. Two nodes x and y of Ty, are neighbors when 
either x is a successor of y or y is a successor of x. For 0 < n < N-1, the n” neighbor of x is xn; 
if x is the successor of y, then y is the Nth neighbor of x. 


Definition: A finite (infinite) path on Ty is a finite (infinite) sequence {x,} of elements of Tj, such 
that all n, x, and x,,, are neighbors. Let Py, denote the set of finite paths on the tree Ty, If 
= {rhhency and t = {x brii<ncy are two finite paths such that x, and x, , 1 are 
neighbors, then the concatenation of w and r is m;7 = {x,})<,< yg (defined similarly if 7 is an 
infinite path). The relation 7 < 7 holds if and only if r = a@:o for some nonempty path o. A 
forward path is a path {x,} such that x, is a successor of x, for all n. A Joop on x is a finite 
path {hienc y Such that x, = xy = x. A simple loop is a loop x;m;x such that does not 
contain x. A singleton is a path consisting of a single element. An infinite path a is cyclic on x if 
and only if x occurs infinitely often in 7; w is acyclic if and only if it is not cyclic on any x. 


Lemma 4.1: If x:a;x is a simple loop, then @ is a loop. 


Proof. Since x;7;x is a path from x to itself, 7 must begin and end with neighbors of x. Any 
path, however, which connects two distinct neighbors of x must include x. Hence, if # does not 
include x, a must begin and end with the same neighbor of x I 


Lemma 4.2: lf m = {x,},> 9 is an infinite acyclic path, then there is an infinite forward path 


nb n>o such that wm = oj7); ... . 37,3... , where each 7, is a loop on y,. 
Proof. Clearly, « must contain a least element x. Let o be a (possibly empty) initial segment of 7 
preceding some occurrence of x in 7. let yy be x and let 7, be that segment of 7 which extends 
from o to include the last occurrence of x in a, so that ty is a loop on yo. Inductively, given y, 
and t, = nb) <m< let yy = Xyyy_ and let 7.) be that segment of w which extends 
from o;7); ... :7,, to include the last occurrence of y,,, in w, so that 7, ,, is a loop on y,, 1. 
The reader can verify that {rd 5 3s an infinite forward path. | 


